1 |
On 25-Mar-04, at 3:03 PM, Andrew Gaffney wrote: |
2 |
|
3 |
> Tom Hosiawa wrote: |
4 |
>>> On Thu, Mar 25, 2004 at 12:46:25PM -0600, Andrew Gaffney wrote: |
5 |
>>> |
6 |
>>>> I've come up with a quick n' dirty Perl script to use portage's |
7 |
>>>> MD5s in a tripwire fashion. |
8 |
>>>> |
9 |
>>> |
10 |
>>> Didn't you know about qpkg? qpkg already does this, qpkg -c checks |
11 |
>>> mtime |
12 |
>>> and md5sum for all packages. With -v it will list the exact files |
13 |
>>> that |
14 |
>>> mismatch.. The only thing that's lacking is checking the integrity of |
15 |
>>> the md5sums themselves with some kind of signature. |
16 |
>>> |
17 |
>>> Regards, |
18 |
>>> |
19 |
>>> Michel Wilson. |
20 |
>> What about qpkq being compromised itself. As I understand it, in |
21 |
>> tripwire, cryptographic keys are used for the policy file. |
22 |
>> Couldn't an attacker mess around with which files qpkq scans? |
23 |
> |
24 |
> That's another good reason for a customer portage-integrated solution. |
25 |
> |
26 |
|
27 |
Well in theory any file on a machine could have been compromised |
28 |
(including something built into portage). if you want to be absolutely |
29 |
sure I would recommend having your scan tools on removable media and |
30 |
not dependent on anything on the machine you are scanning, like a USB |
31 |
flash drive on your keychain or the like. As always it depends on how |
32 |
involved you want to get with things. |
33 |
|
34 |
I wrote a little python script a while back that did pretty much the |
35 |
same sort of stuff, but I abandoned it as there were a lot of files |
36 |
that showed up in scans that most definitely weren't compromised ... |
37 |
many of which for good reasons (i.e. a newer package updated the file, |
38 |
user modifications, etc). To do it this way it would have to be more |
39 |
than a simple script (taking into account duplicates, checking only |
40 |
against the newest modification date on duplicates, giving users the |
41 |
option to 'rescan' their files after they have made approved |
42 |
modifications of them, etc), and I wasn't willing to put that much |
43 |
effort into such script ;) |
44 |
|
45 |
Mark |
46 |
|
47 |
|
48 |
|
49 |
-- |
50 |
gentoo-security@g.o mailing list |